Welcome
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Technical preview: Simplified configuration process for .NET data flow analysis
AppScan on Cloud offers a new way to generate an .irx file for scanning .NET applications, using dataflow analysis for .NET source code (C# and VB.NET),

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About static analysis (SAST)
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
  - Configure a scan in AppScan on Cloud
    Configure a static analysis scan.
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. Run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Technical preview: Simplified configuration process for .NET data flow analysis
    AppScan on Cloud offers a new way to generate an .irx file for scanning .NET applications, using dataflow analysis for .NET source code (C# and VB.NET),
  - About Software Composition Analysis
    Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
  - Static analysis integrations
  - Submitting HCL AppScan Source assessments to the Cloud for analysis
    If you have a subscription to HCL AppScan on Cloud, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported. The number of scans you can submit depends on your ASoC subscription.
  - Best practices for Java scanning
  - Static analysis scan results
    The SAST scanning engine uses AI and complementary technologies to improve detection accuracy and streamline result analysis.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Technical preview: Simplified configuration process for .NET data flow analysis

AppScan on Cloud offers a new way to generate an .irx file for scanning .NET applications, using dataflow analysis for .NET source code (C# and VB.NET),

Currently, when ASoC encounters a Visual Studio solution file (.sln file), it builds the solution and project(s) to generate the .NET assemblies (.dll and .exe files), then processes those .NET assemblies to produce the .irx file that is submitted for analysis.

When this new functionality is enabled by the user, ASoC can process the Visual Studio source code directly to produce the .irx file to be analyzed. This results in:

Faster .irx generation.
Systems flexibility: availability of the build environment to compile the source code into .NET assemblies is not required.
Source to Sink dataflow results for source code.
Cross-platform .NET support.

Enable this functionality in one of three ways:

Using an environment variable to apply globally:
- Windows: set APPSCAN_OPTS=-DNewDotNetEngine
- Linux/Mac: export APPSCAN_OPTS="-DNewDotNetEngine"
Add a parameter to the appscan prepare command when using the Static Analyzer Command Line Utility:
```
appscan.bat prepare -DNewDotNetEngine
```

Specify an attribute in appscan-config.xml:

In the Configuration element:

<Configuration NewDotNetEngine="true">
    <Targets>
        <Target path="."/>
    </Targets>
</Configuration>

Once enabled, when a Visual Studio solution file (.sln file) is found during scan configuration, all C# (.cs) and VB.NET (.vb) source files are processed during the generation of the .irx file. After the .irx is analyzed in AppScan on Cloud, results showing Source to Sink traces are available in scan results.